Posted
by
timothy
on Sunday July 28, 2013 @02:51PM
from the click-here-if-you-didn't-read-the-above dept.

MojoKid writes "On Friday, we learned that the mobile industry has developed a short-form notice for mobile apps that tells users if the app is collecting their data and in what areas (i.e., phone call and text logs, location data, and so on) that would appear before app download begins. The program is currently voluntary and being tested, and although on the surface it seems like a step forward for consumer protection, some industry consumer rights groups are opposed to it. Jeffrey Chester of the Center for Digital Democracy (CDD) told us that, with respect to all the work that the industry put into the plan, he doesn't believe the new code of conduct will actually do much for consumers. "The process ignored the actual mobile app business practices, and refused to engage in the testing that's required," he said. "Words on a small screen--even if better than long and hard to find privacy policies--doesn't mean anything unless we know it tells users: one, what data is actually collected and how it is to be used, and two, whether they will see it in the first place.""

But in reality, a tiny sliver of individuals will ever read this. It would be more useful if it were in the App Stores or a screen on the device you could easily find to get the info. It will be another "EULA" which people just hit "Accept" for

Despite the local hate, this is actually something the WinPhone software store does fairly well. Every program entry has a list of what resources it makes use of. As far as I can tell, this list is generated by Microsoft, so it doesn't include any explanation of why Tetris requires GPS and camera control, but it also means the programmers can't lie about what the program gets access to.

Android already does this. The OS has a set of permissions available for apps (get location data, use camera, access internet, etc.) These permissions are displayed to the user when the app is installed, giving the user the chance to reject the app if the permissions are unacceptable.

The problem with Android's permission model is it doesn't tell you *how* it will use the permissions you give it, or allow you to pick and choose those permissions; it's an all or nothing thing. What I would love is to selectively choose the permissions to grant an app and fake the permissions I don't allow; for example, give the app access to a fake contacts list so the app itself has no idea whether it has access to my real contacts.

I'm a developer who writes free "apps". The developers who think that their website, program, or whatever is a privilege and deserves to advert the hell out of people for viewing it are the real ignorant ones. Add a donation link, if you don't like that route then remove your website or program from the internet while users find a better alternative not written by arrogant people. I prefer you didn't use stupid generalizations and say that all free programs earn money by tracking/ads. The programs written b

I'm one of those "consumers" who expects that "free" mean "free". I don't expect to be offered a free service, when in reality that "free" service is exploiting me in some way. I expect the offer to be very upfront, and informative. "In exchange for this nearly worthless service, the Company will use this app to mine all the data on your device. Please select "accept" to proceed with installation."

The latest nightly builds of CyanogenMod have a feature called Privacy Guard which mostly address this issue. You can select which apps have access to your contacts, phone logs, location, etc. Currently it doesn't support finer granularity than that (e.g. only forbidding location service to a specific app) but they are still working on an advanced mode for that capability. Expect to see the Privacy Guard feature in the next stable release of CM which will likely be 10.2.

What I would love is to selectively choose the permissions to grant an app and fake the permissions I don't allow; for example, give the app access to a fake contacts list so the app itself has no idea whether it has access to my real contacts.

The new Jelly Bean release finally has the beginnings of just such a feature [androidpolice.com]. It's still hidden to the user because it doesn't seem to be quite finished yet, and it's a bit broken in that the permissions you are allowed to enable/disable for an app only seem to show up in the list after the app has used that permission once before, but it's definitely a start! There's an app in the Play store [google.com] (which does not require any persmissions!) that will give you a launcher to the hidden WIP "App Ops" interface.

The problem with Android permissions is that a lot of apps request internet and sdcard access and there is no way to know what kind of data is going to be exchanged. Benign usage would be downloading ads and dynamic content, for the apps that are just a wrapper for a website. But for all I know, an app could be scanning the sd card for interesting data and feeding it to big brother.

It is easy to point finger at what one sees as a problem. It is much harder to find solutions to those problems. Lets see a few consumer organizations come up with what they would want to see instead of just criticizing. They will find it much more difficult that they seem to believe.

If when a company like Facebook gets caught (as I believe they did recently) grabbing contact data without authorization they'd get the "CFAA-book" thrown at them by the federal government. Novel idea, right? Your mobile phone is your computer system in the palm of your hand. They greatly exceeded reasonable access. They're "hackers**" so eff them and eff them hard in the federal court for "hacking."

**Term Nazis: we all know Hacker != Cracker outside of an African-American Studies program on race in IT...;)

Agreed on all points - but until people start quitting these services when they pull stunts like this, there will not be much pressure for action either internally or externally.

For what little it's worth, I quit Facebook after that shadow profile revelation. But they're hardly alone - Google+ announced some time ago that they basically do the same thing, and I don't see a lot of outage over that.

Simpson continued: “A year after calling for privacy legislation, we have seen nothing from the administration. This multi-stakeholder process has been a diversion and a waste of time. President Obama, if you are serious about protecting consumers’ privacy, show us your proposed legislation.”

Instead of sitting on the sidelines sniping at people who are trying to make progress how bout you get off your ass and propose some legislation of your own? If you " are serious about protecting consumers’ privacy" how about you help make some progress instead of just being an obstruction. "You do the work and we'll shoot it down" is not very productive.

On iOS, when an app tries to access, say, your contacts - at that point you are given a pop up that asks you to allow or deny that action.

There are several apps that I've found useful, but which want to do things for which there's no good reason (like the aforementioned contacts access). It's also nice with apps like Twitter or LinkedIn, where I might want to use them occasionally but don't want them spamming me with unwanted notifications or "services".

This is an unfixable issue. I used 'my' Facebook account to connect to the comment services of several EXTREMELY major publications. Every single one of these organisations wanted to slurp my entire private Facebook dataset. Obviously, with this account, I could say "sure, go ahead" but my point is that there is an absolute expectation by every player, big or small, that they can abuse the user in return for the service they offer the user for 'free'.

We're the phone company. We don't care what you little people want, need, or think is important. We don't have to. We never did, and we likely never will because you believe that you absolutely must be able to yack and/or text with your BFF, and update your TwitBook status. That all too common pathology will keep you bending over for just about any abuse we or our real customers care to put to you. So shut up and take it, bitches.